Procurement model

EDR plus MDR bundle cost: the layered stack vs the all-in.

EDR and MDR can be procured separately (layered) or as a single bundled offering. The cost pictures look similar in aggregate but the lock-in dynamics and procurement complexity differ meaningfully. The honest comparison of the two models and when each fits.

Last verified April 2026
Illustrative ranges only. Pricing ranges and examples on this page are illustrative market ranges aggregated from public industry research (Gartner Market Guide for EDR public summaries, Forrester EDR Wave public summaries, Verizon DBIR 2025, IBM Cost of a Data Breach 2025, MITRE ATT&CK, public cyber-underwriter guidance). They are not quotes, not vendor-specific, and should not be used as a basis for procurement decisions. Always request a direct quote from the vendors you shortlist.

The two procurement models

EDR and managed-detection-and-response (MDR) can be procured under two structurally different models. The layered model treats them as separate purchases from potentially different vendors; the bundled model purchases them as a single offering from one provider. Both are common in 2026.

Layered model. The customer owns the EDR platform contract directly with the EDR vendor (CrowdStrike, SentinelOne, Microsoft, Sophos, or another EDR provider; name examples are illustrative of the category). Separately, the customer contracts a managed-detection-and-response provider (a specialist MDR firm, the customer's MSP, or an MDR offering from a different security vendor) to operate on top of the EDR via the platform's API. The MDR provider does not own the platform; they operate it under contract using the customer's EDR licence.

Bundled model. The customer purchases a single MDR offering from one provider that includes both the EDR platform and the service layer wrapped around it. The provider may use their own proprietary EDR, or they may use a partner EDR rebadged or licensed to them at scale. The customer signs one contract, sees one invoice, deals with one vendor relationship.

Both models cover the same fundamental capability stack: continuous endpoint detection, twenty-four- hour monitoring, threat investigation, and routine response. The difference is in commercial structure and the implications for switching cost.

Cost structure of the layered model

Layered procurement has three cost components.

EDR licence. Paid directly to the EDR vendor at the standard per-endpoint per-month rate. Typical mid-market range $5 to $9 per endpoint per month after volume discount, with the upper end applying to premium EDR platforms and the lower end to commodity EDR.

MDR service layer. Paid to the MDR provider at a separate per-endpoint per-month rate for the service component. Typical range $15 to $30 per endpoint per month, with the upper end applying to fully-staffed twenty-four-hour-monitored coverage with proactive threat hunting and the lower end to alert-triage-only service tiers.

Residual internal FTE. Even with MDR, some internal staff time is required for relationship management, escalation handling, post-incident review, and policy decisions. Typically 0.1 to 0.3 FTE per 1,000 endpoints fully-loaded, working out to $15,000 to $50,000 per year per 1,000 endpoints depending on staffing model and geography.

All-in layered cost typically lands at $25 to $50 per endpoint per month combined when all three components are tallied. For a 1,000-endpoint mid-market shop, that is $300,000 to $600,000 per year all-in, with the licence as the smallest of the three components, the service layer as the largest, and the residual internal FTE in the middle.

Cost structure of the bundled model

Bundled procurement has effectively two cost components.

Bundled service rate. Single per-endpoint per-month rate covering both platform and service. Typical range $25 to $45 per endpoint per month all-in, with variation based on coverage depth, response-time commitments, and threat-hunting inclusion.

Residual internal FTE. Same 0.1 to 0.3 FTE residual as in the layered model. The internal-team requirement is similar regardless of procurement model.

All-in bundled cost typically lands at $25 to $50 per endpoint per month combined, similar to the layered model in aggregate. The cost saving from bundled volume discount (the MDR provider buys EDR at scale and passes some of the volume discount through) can be 5 to 15 percent at the headline level, but the difference is often consumed by the MDR provider's margin on the platform component. Net effect on customer all-in cost is usually within 10 percent between the two models.

The lock-in tradeoff

The most important non-cost difference between the two models is structural lock-in.

Layered model preserves platform independence. The customer owns the EDR contract directly. If the MDR service quality drops, the customer can switch MDR providers without changing the platform. The new MDR provider integrates with the existing EDR via the same API; the telemetry retention is preserved; the detection-rule tuning carries forward; the integration with other security tools is unchanged. Switching cost is real (60 to 90 days transition for the new MDR provider to come up to speed) but materially lower than switching the platform itself.

Bundled model creates structural lock-in. Switching the MDR provider means switching the EDR platform. The telemetry retention does not migrate; the analyst familiarity does not transfer; the detection-rule tuning is lost; the integration with other security tooling has to be redone. Total switching cost is typically 6 to 12 months of effort and 20 to 40 percent of annual contract value in transition cost.

The lock-in difference matters more for some customers than others. Customers with strong vendor- management discipline and willingness to switch providers when warranted value the layered model's flexibility. Customers prioritising procurement simplicity and stable long-term vendor relationships may value the bundled model's consolidation. The decision should be made deliberately rather than by default.

The procurement-simplification value

Bundled MDR offers genuine procurement simplification that has real internal cost value.

One contract instead of two. Legal review effort, vendor-management onboarding, security-architecture review all happen once instead of twice. For organisations where contract volume is meaningful (financial services, healthcare, regulated industries), the saving from one contract instead of two is real.

One invoice instead of two. Accounts-payable cycle simplicity, one purchase-order reconciliation, one renewal cycle to manage. The cost saving is small but real.

One vendor relationship instead of two. Single account-manager, single quarterly business review, single escalation path. Customer-success time is concentrated on one relationship rather than divided across two.

Integrated tooling and workflow. The bundled offering typically has tighter integration between platform and service than equivalent layered combinations, because the provider controls both layers. Analyst console workflow, alert format, response workflow, and reporting are consistent rather than spanning two systems.

The procurement-simplification value is the main reason bundled MDR exists as a category. Customers who genuinely value the simplification are willing to accept the lock-in tradeoff. Customers who do not place high value on simplification typically prefer the layered model for the flexibility.

Adding MDR to an existing EDR

A common adoption path is to start with EDR alone and add MDR later as the security program matures. Most MDR providers offer service-only contracts that operate on the customer's existing EDR via the platform's API, allowing customers to add the service layer to an existing EDR investment without re-procuring the platform.

The transition typically takes 60 to 90 days for the MDR provider to come up the learning curve on the customer's environment: deploying their own correlation rules, integrating with the customer's incident-response workflow, establishing escalation paths, and building familiarity with the customer's specific application surface. The transition cost is typically a one-time onboarding fee of $10,000 to $50,000 plus the ongoing per-endpoint MDR service rate of $15 to $30 per endpoint per month layering on top of the existing EDR licence.

The adoption-path approach has the advantage of letting the customer evaluate the EDR platform fit first, building confidence in the platform before committing to a longer-term MDR relationship. Customers who start with EDR alone and add MDR after 6 to 18 months of EDR operation typically report a smoother MDR onboarding because the platform is already well-understood internally and the MDR provider has clean data to work with.

EDR-plus-MDR procurement playbook

  1. Decide whether the procurement-simplification value of bundled is worth the lock-in tradeoff. The decision depends on customer-side preferences, not on absolute right or wrong.
  2. Get quotes for both models from the same providers where possible. Bundled and layered pricing from the same provider typically lands within 10 to 15 percent of each other; differences are usually in non-price terms.
  3. For organisations with no incumbent EDR investment, bundled is the cleanest starting point. The procurement simplification is real and the lock-in cost is theoretical until exit becomes relevant.
  4. For organisations with existing EDR investment, layered is usually the cheaper and simpler addition because it preserves the platform investment.
  5. For phased adoption (EDR first, MDR later), plan for the 60 to 90 day MDR onboarding transition and budget the one-time onboarding fee of $10,000 to $50,000.
  6. Cross-link mdrcost.com for the MDR-side pricing framework in depth.

EDR plus MDR bundle questions

What is the typical all-in cost of EDR plus MDR?
EDR plus MDR all-in pricing in 2026 typically lands at $25 to $50 per endpoint per month across the two main procurement models. The layered model (the customer owns the EDR contract directly, the MDR provider operates on top of it via the EDR's API) typically lands at $25 to $50 per endpoint per month combined (EDR licence $3 to $15, MDR service layer $15 to $30, plus residual internal FTE). The all-in MDR model (the MDR provider supplies both platform and service in a single bundled contract) typically lands at $25 to $45 per endpoint per month all-in. The two models price similarly in aggregate; the differences are in flexibility and procurement complexity.
Is bundled MDR cheaper than layered?
Sometimes yes, sometimes no. Bundled MDR (MDR provider supplies both platform and service) can be 5 to 15 percent cheaper than equivalent layered procurement because the MDR provider purchases the EDR platform at scale and passes some of the volume discount through to the customer. The cost saving is real but not universal; some bundled MDR offerings actually price at parity with layered, with the procurement simplification being the value proposition rather than direct cost saving. The honest comparison requires getting quotes for both models from the same providers and normalising on a common per-endpoint per-month basis.
What is the lock-in tradeoff in bundled MDR?
Bundled MDR creates structural lock-in: switching the MDR provider means switching the EDR platform. The telemetry retention does not migrate; the analyst familiarity does not transfer; the detection-rule tuning is lost; the integration with the customer's other security tooling has to be redone. In the layered model, the customer continues to own the EDR contract directly, so the MDR provider can be swapped without touching the platform. The lock-in cost is real and meaningful for customers who value flexibility; the procurement simplicity of bundled is offset by the harder exit path.
Can I start with EDR alone and add MDR later?
Yes, and this is a common adoption path. Most MDR providers offer service-only contracts that operate on the customer's existing EDR via the platform's API, allowing customers to add the service layer to an existing EDR investment without re-procuring the platform. The transition typically takes 60 to 90 days for the MDR provider to come up the learning curve on the customer's environment, deploy their own correlation rules, and integrate with the customer's incident-response workflow. The transition cost is typically modest (one-time onboarding fee of $10,000 to $50,000) and the ongoing per-endpoint MDR service rate ($15 to $30) layers on top of the existing EDR licence.
When does MDR with bundled EDR make sense?
Three scenarios where bundled MDR is the right answer. First, organisations that are starting fresh with no incumbent EDR investment to preserve; the procurement simplification (one vendor relationship, one contract) is real value when there is no existing platform to integrate. Second, organisations that explicitly value vendor consolidation; some security programs deliberately reduce vendor count for vendor-management efficiency, and bundled MDR contributes to that goal. Third, organisations where the bundled offering is meaningfully cheaper than the layered equivalent on a normalised basis; for some providers, the cost saving from bundled volume discount is large enough to justify the lock-in.
Continue

Updated 2 May 2026